Update: A few new screenshots based on the current version. Full release notes available here.
After four months, it is time again to write another article about another product.
As it happens, we’ve added a new toy to our portfolio:
SolarWinds Access Rights Manager (ARM)
Some of you may know it under its former name, 8MAN.
What exactly does ARM do? And who came up with this TLA?
The tool validates permissions within Active Directory®, Exchange™, SharePoint®, and file servers. So who has access to what, and where does the permission come from?
Users, groups, and effective permissions can be created, modified, or even deleted.
Reports and instant analysis complete the package.
Everything works out of an elegant user interface, and you can operate it—even if you aren’t a rocket scientist.
ARM will be installed on any member server and comes with minimal requirements.
The OS can be anything up from 2008SP1; give it two cores and four gigs of RAM, and you’re golden, even for some production environments. The data is stored on an SQL 2008 or later.
The install process is quick.
Once installed, the first step is to click the configuration icon on the right-hand side. The color is 04C9D7, and according to the internet, it is called “vivid arctic blue,” but let’s call it turquoise.
On that note, let me tell you: I am German and unable to pronounce turquoise, so I am calling it Türkis instead.
The next step is to create an AD and SQL® user and connect to the database:
Don't panic if you see this message, the system is automatically reconnecting:
ARM is now available, but not yet ready to use.
We need to define a data source, so let’s attach AD. The default settings will use the credentials already stored in ARM for directory access.
In my example, an automated search kicks off in the evening. When you set it up for the first time, I suggest clicking the arrow manually once to get some data to work with.
Attention: Don’t do this with 10,000 users in the early morning.
Alright, that’s it.
Now click the orange—sorry, F99D1C—icon to start the tool.
The first thing we see is the dashboard:
Let’s deal with the typical question, “Why was that punk able to access X at all?”
The main reason for this is probably a nested authorization, which isn’t obvious at first glance.
But now ARM comes into play.
Click on Accounts and enter Mr. Punk’s name into the search box above:
The result is a tree diagram showing the group memberships, and it is easy to see where the permission is coming from.
If you click on a random icon, you will see more details—give it a try.
You can also export the graphic as a picture.
On the right side, you will find AD attributes:
Now it is getting comfortable. It is possible to edit any record just from here:
Oh yes, I don’t trust vegetarians!
By the way, this box here is mandatory on any change, as proper change management requires the setting of notes.
And while we’re at it, right-click on an account:
Let’s walk from AD to file permissions. It’s only a short walk, I promise.
Click Show access rights to resources as seen above.
Now we need to select a file server:
On the right, we see the permissions in detail:
We ship ARM with a second GUI in addition to the client—a web interface accessible from anywhere, where you find tools for other tasks.
Typical risks are ready for your review out of the box. Just click on Analyze/Risk Assessment Dashboard. I know you want to do it.
You’ll find some interesting information, like inactive accounts:
Or everybody’s darling, the popular “Everyone” permission on folders:
One does not simply “Minimize Risks,” but give it a try:
I could initiate changes directly from here – also in bulk.
You may have seen this above already, but you can find more predefined reports directly on the Start dashboard:
Let’s address one or two specific topics.
Since Server 2016, there is a new feature available called temporary group membership.
It can be quite useful; for example, in the case of an employee working in a project team who requires access to specific elements for the duration of the project. That additional authorization will expire automatically after whatever time has been set.
Practical, isn’t it?
But also consider this: Someone might have used an opportunity and given him- or herself temporary access to a resource with the understanding that the change of membership will disappear again, which makes the whole process difficult—if not impossible—to comprehend.
But not anymore! Here we go:
…you will find objects on the right side:
Unfortunately, in my lab, there’s nothing to see right now, so let’s move on.
ARM allows routine tasks to be performed right from the UI; for example, creating new users or groups, assigning or removing permissions, and much more.
This becomes even more interesting when templates, or profiles, are introduced.
Let’s change into the web client. Click the cogwheel on top, then choose Department Profiles:
At the right side, click Create New.
The profile needs a shiny name:
Always make sure people who operate microwaves receive proper training. But that’s a different story.
More buttons on the left side; I will save it for now:
Starting now, you can assign new hires to these profiles, and everything else is taken care of by the tool, like assigning group memberships or setting AD attributes.
Of course, these profiles are also baselines, and there is a predefined report available showing any deviations from the standard. Just click Analysis and User Accounts.
Select a profile and off you go:
Elyne is compliant; congratulations. But that’s hardly surprising, as she is the only employee in Marketing:
These are just a few features of ARM. Other interesting topics would be the integration of different sources, or scripts for more complex automation. This is food for future postings.